I live in West Virginia and anything dealing with the state government has to start with an assumption that it is being done for corrupt reasons. Ask first how a contract or project financially benefits key state officials or their family. I can't emphasize enough how predatory and corrupt the government is here. Both leading Republican candidates for governor are under federal corruption investigations. There's a reason West Virginia is losing population and remains among the poorest states in the USA. Where West Virginia isn't corrupt, it is incompetent. The state can't even provide safe drinking water for its people, or even create a framework for official electronic signatures-- it has no business innovating in voting tech. West Virginia is the last place you want as your laboratory for voting technology.
I will say that your state is beautiful though. Driving from Harper's Ferry to Charleston via the Monogahela National Forest remains one of my trips. My favorite memory was discovering a 13,000 square mile radio quiet zone with a gigantic, black hole hunting, radio telescope smack dab in the middle of it.
After stopping to play tourist, I continued driving and stumbled upon a stranded 3 person group, a hetero couple and the wife's sister, the and that probably weighed 1500 pounds between the 3 of them (no judgements). Their minivan was out of commission, and there was no cellphone reception cuz quiet zone. I offered to help, but I could physically only fit one of them in my Ford Focus hatchback, which could normally fit up to 5 people (uncomfortably). Husband asked if I could get him to Durbin, about 30 minutes down the road, and I said yes. All 500 pounds of him squeezed into the front seat, which itself was an adventure because I am 6'5" and was a heftier 300 pounds myself, and he was spilling a bit into the driver's seat. I was basically squished between the car door and a human wall.
I loved every minute of it. Husband was an awesome dude. We chatted about his career bas a coal miner (complete with a mild case of black lung disease and pending heart failure), life in a sleepy area, and all sorts of stuff. When we got to Durbin, he just asked me to let him own, where he planned to find a phone to call his preacher, who also happened to be the "local" tow truck driver. He walked/waddled off towards some buildings off the main road, and I continued my journey.
Anyone interesting some history of coal country, a great book is "Night Comes to the Cumberlands: A Biography of a Depressed Area" By Harry M. Caudill. Published 1962.
While the focus of the book is eastern Kentucky, a lot of the content applies to WV and coal country in general.
"At the time it was written, Night Comes to the Cumberlands framed an urgent appeal to the American Conscience. Today it details Appalachia's difficult past, and at the same time, presents an accurate historical backdrop for a contemporary understanding of the Appalachian region."
> When asked about why a redacted audit or report from the auditors wasn’t released, Voatz co-founder and CEO Nimit Sawhney, who co-authored the white paper, gave multiple reasons. First, he pointed to a nondisclosure agreement with the auditors. Then, he stated that there was no way to share any more information about the audit without revealing proprietary information about the system. But one would expect a redacted report or even an abstract of the report for transparency’s sake, given the stakes of introducing a new system to our already rickety voting process. Depending on the secrecy of its system architecture is such a poor security mechanism that researchers have even coined a term for it: security by obscurity.
In the context of nascent tech like this, most people just don't know the right questions to ask, unfortunately.
Perhaps in the near future we will be treated to a layman's explanation of the prevalent (and corrupt) usage of federated blockchains, 'exposed' in a Netflix doc. :)
get a reverse osmosis system. Or buy RO filtered water from the local grocery store by the 3 or 5 gallon jug.
Edited to add: our household does this. we live in a rented townhouse, so we're unable to add our own plumbing or electrical stuff. Yes, it's an expense to buy our own drinking/cooking water, but we just don't trust city water. If you live in a nice area with a diligent water authority, that's fine, but those types of places are a vanishing minority in the USA nowadays.
Yes. I assume they're referencing the chemical spill several years ago, and the water has tested clean consistently since.
I've never heard of other issues with the water quality in Charleston (assuming it's city water and not straight from the Kanawha), and I consider it some of the better-tasting municipal water in the Mid-Atlantic region.
Maybe? The annual water quality tests for chemical contamination look reasonable.
But a quick check of boil water orders (i.e. bacterial infestations) suggests that Massachusetts needs five or six a year, and West Virginia needs five or six a week. That could be sampling bias.
I suspect the incompetence is by design to some extent. If you like small government, cripple it and then you've got an excuse to limit its reach and continue to cut.
It isn't really small government culture-- both Republican candidates were very recently Democrats (the state has flipped parties). It is more a pervasive culture of natural resource extraction and disdain for the public's health and safety. Probably a function of the "resource curse". https://en.wikipedia.org/wiki/Resource_curse
What I find interesting after reading the linked wikipedia article is that the USA as a whole is not suffering from the resource curse. I wonder, just tangentially, because:
1. We are net exporters of many vital resources (food, in particular wheat and corn, is one I can think of off hand)
2. We have an abundance of natural resources and a wide variety of those natural resources to grow our economy
3. At various stages in history, we were basically the word's largest exporter of raw and manufactured goods and materials.
Yet, we aren't classified as having suffered through this.
Odd right? Or is my casual understanding just incorrect?
The resource curse occurs when there are abundant natural resources and a group of people small enough to coordinate action controls those resources.
In the eastern half of the USA, most of the land is owned by (relatively) small holders, who are too numerous to not compete against each other. That is slowly changing as consolidation continues to occur, but the base ownership of resources is so diffuse that there would still need to be a lot of consolidation for resource cartels to become dominant.
Besides winning the Civil War and outlawing slavery, the Lincoln administration also passed one of the most momentous series of laws in American economic history with the Homestead Acts, which sold almost 10% of the total area of the US for pennies as long as the land would be homesteaded, that is, occupied by someone who worked the land. This was a deliberate policy of the Free Soil movement to prevent moneyed interests, primarily plantation owners, from gobbling up the frontier.
In eastern places where large estates had already been assembled, such as Appalachian coal country and the Mississippi Delta, politics has been predictably corrupt and exploitative.
Where the frontier land was not homesteaded (mostly arid western lands), "land barons" gained control of much of it and began to manipulate local politics in a similarly predictable way.
The remaining western public lands also benefited from the notion of "scientific administration" in vogue during the late 19th and early 20th centuries. Some land agencies are worse than others (Parks service is a far better steward than the BLM, for example) but by and large the federal agencies have succeeded in preventing the formation of new land baronies.
We were immensly helped by the world wars wiping out so much capital abroad. Even before that, the civil war while costing much life only jump-started our industrial capacity as the fighting was never that far north.
The resource curse is basically a mercantilist problem where the resources extracted are almost entirely exported, and little domestic industry outside of resource extraction.
If it makes you feel any better, California is also failing to provide safe tap drinking water for everyone. In a few places, the wells are dry. In others the water is contaminated.
That's not anywhere close to the same thing. In California, the cause of that is climate change, not corruption. The sources for the rural communities are drying up. Secondly, the state is sending bottled water to the people who don't have clean drinking water. And third, the Governor just last week signed an appropriations bill that will provide millions for clean water projects out of the funds that were allocated for "green enhancement programs" because they recognize that this is the fault of climate change.
Interestingly, that appropriation will take up to 130 million dollars a year for the next decade from a fund that was originally designed for something different: helping to reduce greenhouse gas emissions.
The drinking water plan has alarmed some environmental groups, who worry it sets a precedent of the state using the cap and trade money for other purposes as the state struggles to meets its emission reduction goals.
So, it sure looks like, in order to address certain water supply problems, which are admittedly exacerbated by global warming, California will diminish its own efforts to reduce greenhouse gas emissions!
Consider that the "... Central Valley has been sinking ... since the 1920s and is estimated to have sunk up to 28 feet. During drought years, the valley is prone to accelerated subsidence": https://en.wikipedia.org/wiki/Central_Valley_land_subsidence
As far back as 1988 there was scientific consensus that the earth was on a trajectory toward a doubling of CO2 levels and by 2001 the IPCC said "it was much more likely than not that our civilization faced severe global warming": https://www.scientificamerican.com/article/discovery-of-glob...
About 30 million Californians rely at least partially upon groundwater sources for their water, but the state didn't get around to regulating well drilling until 2014 with a relatively weak law that "does not go as far as other Western states by granting state agencies the power to authorize or prohibit groundwater withdrawals": https://www.kqed.org/science/21706/what-to-know-about-califo...
I predict that we'll keep seeing well failures in California and that government's actions will not be enough to reliably provide safe tap water to all of California's communities.
It's more than just global warming and I didn't say the cause was corruption (though I cannot rule that possibility out). I just said California did not provide clean tap water for everyone. Nevertheless, governmental failure of one kind or another is a huge and important reason for California's tap water problems.
The fact that there is government provided bottled water in some places should not be looked upon as good management or a success story. It's a bandaid on a broken system and a statewide failure to manage and provide safe water resources and infrastructure.
The the appropriations bill you mention does not make up for the years of failure to provide clean, contaminant free tap water on an equal basis to all communities statewide. And even if it succeeds across the state in every community, it will take years to actually fix all of the tap water problems.
Five days ago, The NY Times reported As many as 1,000 community water systems in California may be at high risk of failing to deliver potable water — one out of every three — according to a previously undisclosed estimate by senior officials at the California State Water Resources Control Board:
The Guardian reports that some Central Valley communities have water contaminated by arsenic, It’s cruel to be living in a state that’s so powerful, so rich, but we can’t count on clean water...:
>Ask first how a contract or project financially benefits key state officials or their family.
Typical flyover state simpletons. If they were were thinking long term like the enlightened people in the urban coastal states they would direct the proceeds of their corruption at their party. After doing this for a couple decades they can have a de-facto one party state and doll out government jobs and contracts to a much wider cross section than just their friends and family further cementing their party's (i.e. their professional network) grip on power.
(this is sarcasm, in case that isn't immediately obvious)
Blockchain for voting sounds like a terrible invitation to a terrible party. Voting is already a delicate subject which is really hard to secure on information systems. Researchers have spent decades to figure out a perfect solution but came short.
Blockchain has already surpassed its boundaries for multiple reasons. However, voting should be beyond that line. There are many questions that need to be answered before even thinking about using blockchain for voting.
- How will identification work?
- What is the proof-of-work scheme?
- How can you be sure that every vote ends up in the ledger? Transactions usually get lost and sometimes takes few tries to reach to miner.
- Most important property is that not a single vote should be traced back to its caster. Blockchain is all public, how are you going to anonymize everything? IP addresses of transaction owners are already open.
That's the whole problem, and always unsolved (because it's hard). You need to be able to ensure that votes are made by real people, that votes aren't duplicated, and that votes are included in a count. Some of this is easy, some of this is near impossible. None of this is solved by a blockchain, which is at its core simply a remarkably inefficient, if decentralized, timestamping system. When a "blockchain" is presented as a solution, ask why the trustworthiness of timestamping was holding back a particular technology before now.
Also, if you rely on a third party to do identification for you, you simply don't need a blockchain.
Blockchain is heavily constrained by the vital requirement of not trusting any third party whatsoever. If you relax this, you can build much simpler systems that are equally secure regarding non-repudiation and other properties but doesn't need proof of work.
Blockchain has one genuine purpose: value transactions where you can't rely on societal legal framework, nor do counterparties trust each other. "Silk Road".
ZCash (from what I can understand of it) seems like it could be the basis to use. Suppose everyone sets up a wallet and they get paid one ZVoteCoin at voter registration. Then they go home and do a shielded transaction (you didn't even mention anonymity) to their favored candidate. Their wallet should tell them that the transaction went through.
The voters can see that their own transaction went through. Administrators (and everyone else) can count total votes cast at the end of the elections by the balances of the candidates' wallets. That's at least as good as paper ballots in this specific respect.
> and people that shouldn't have a vote didn't vote.
The voter's wallet can be tied to the voter's registration. Again, at least as good as what we have now, in this specific respect.
I think I've just made a more elaborated restatement of what I already said. Could you identify a specific hole in my system? You could point to voting software _in general_ being a bad idea, and that's fair enough. But it doesn't sound like that's what you were saying.
Concerns about vote selling and coercion are already gone. It's practically impossible to actually prevent people from filming their votes as they are cast, and livestreaming my vote to you is just as good as having you sit in my doorway for it.
The beauty of paper ballots is you can spoil them and get a new blank sheet. Sure, livestream yourself filling out your ballot. That doesn't mean you actually cast that ballot. The poll workers will tell you to put your camera away when you're outside the booth on the way to the ballot box.
I don't know where you live but all of the polling places around me are very clear about not allowing photography. Similarly, someone who has pressure to vote a different way has the option of taking that picture to show to their boss and then getting a new ballot after voiding the old one.
If your boss, union leader, controlling spouse, etc. tells you to vote a certain way, they would gain the ability to demand that you give them your identifier if it's public or, if not, login and show them the final vote status. This is very hard to detect and anyone proposing a blockchain needs to learn why election systems are designed the way they are first since this is not a hypothetical problem.
We have plenty of jurisdictions with vote-by-mail who've been doing it for a long time. Long enough that we should have some idea how common this occurrence is. It seems like the answer is that one vote isn't worth nearly enough to risk the penalties involved.
This appears reasonable. Votes are anonymous. Every person gets one vote. The software basically always works.
I would scrap the whole "mobile ID" thing, however. You should fill out a voter registration card to get a unique private key that is imported into your wallet.
I'm afraid there are too many ways this may not work, but I'd be more interested in figuring if there are other similarly fundamental problems to online voting.
You might want to look at some of the issues solved by Helios. Its showing its age at this point but the fundamental design goals are the same as if it were designed today.
It doesn't necessarily need to be proof-of-work and I'd think it makes sense to piggyback off a different trusted network of some kind.
> - How can you be sure that every vote ends up in the ledger? Transactions usually get lost and sometimes takes few tries to reach to miner.
Do transactions actually get lost all that often? In my experience, transactions propagate the network pretty reliably and quickly. You can then look at the number of confirmed blocks to reliably check if its in the ledger.
> - Most important property is that not a single vote should be traced back to its caster. Blockchain is all public, how are you going to anonymize everything? IP addresses of transaction owners are already open.
IP addresses aren't stored, and the actual transaction could be layered on something like Tor to prevent tracing. You could also have physical voting centers. The important thing is that individual voters can verify their own vote.
One big concern I'd have that you didn't really touch on is around management of keys. In addition to identity verification, how do you handle theft of keys? If a key is stolen, how do you handle disputes to whats in the ledger? I would trust tech savvy people to keep their keys safe, but what about people who don't understand technology?
I don't have a good solution for this one, but maybe it's not as big of a problem as it appears at first glance.
If we assume that a key can be made invalid, in a public way so we all know which keys are marked as invalid (= stolen), then each voter can know if their vote is correctly handled or not. If it's not they can have a chance to dispute or change their vote, possibly going through some extra identification procedure.
With this scheme disputes gets handled by invalidating previous votes, but in a transparent manner to both. Yes this relies on individual voters to keep the system honest, so their votes aren't used improperly, but isn't this an improvement over the system today? Isn't it a more democratic trust based process rather than having to trust election workers not to cheat?
> Blockchain for voting sounds like a terrible invitation to a terrible party.
I'm expecting a ton of down-votes into oblivion for the following...
Because you can "chip it" doesn't mean you should.
And, just because you can apply technology to something, also doesn't mean you should.
Time and time again we are shown how vulnerable computers and digital data are.
Voting should be done on paper in local areas overseen by people from each party. They all watch the ballot box. They all see who comes in. Together, they count the votes in front of everyone else and tally them on a piece of paper. Then, they call to their higher-ups these numbers, and so on and so forth.
Electronic voting would be extremely convenient, and could do wonders for voter participation rates. I trust my entire net worth to computer systems, why can computers sum up bank statements but not votes?
Financial transactions are frequent, reversible, insured, and don't require parties to be anonymous.
Elections are one-off events where after-the-fact mitigations reduce its validity. Plus, elections require strong privacy (i.e., voters shouldn't be able to reliably show how they voted).
Elections have far tougher constraints than finance.
I'm not convinced voting on a blockchain is a good idea, but here are some thoughts:
> Researchers have spent decades to figure out a perfect solution but came short.
That doesn't mean improvements can't be made. Researchers have spent decades to figure out peer-to-peer money as well, before Bitcoin was invented. But there are many other examples.
> How will identification work?
Presumably in a similar way voting already works. Tokens are given out after IDs have been checked.
> What is the proof-of-work scheme?
You can easily piggy-back on any existing cryptocurrency if you want.
> How can you be sure that every vote ends up in the ledger? Transactions usually get lost and sometimes takes few tries to reach to miner.
You can easily verify that your vote ended up in the ledger. You can verify in seconds that a transaction has propagated in the network as well. Transactions very seldom get lost, unless you're specifically thinking of Bitcoin which suffer from transaction backlogs from time to time.
> Most important property is that not a single vote should be traced back to its caster.
This is the hard technical problem. There are anonymous cryptocurrencies like Monero or ZCash (although there shielded transactions are opt-in) which obscures where transactions come from. Therefore it should be possible to create a system where a single vote cannot be traced back to its caster while you can still count the total number of votes and that a vote is only cast once (this is exactly the properties Monero and ZCash have).
>Researchers have spent decades to figure out a perfect solution but came short.
The problem is not with knowing how make a secure voting system. We already know how to do that and it's been in production in various states and counties for decades. I was lucky enough to grow up in one. It's not difficult.
The problem is that election administrators in many places aren't tech savvy enough to know the difference between a Diebold machine with no paper trail and weird hooks (like the ability to invert the results), and actually secure, reliable, easy-to-use systems.
Those folks are susceptible to skilled salesmen from big companies peddling insecure voting systems. As are politicians who have a say in which election machines are purchased, and who are looking for kickbacks, donations and revolving door jobs. That's the problem that needs solving.
DARPA and Galois are working on a standard that I hope the Federal Govt will eventually require for all Federal elections. Create the best possible, open, verifiable voting machine standard, allow any company to implement the standard, and then teach election administrators how to verify the implementation correctly adheres to the standard regardless who the manufacture was.
Perhaps I'm wrong, but it sounds like your main argument is that current blockchain does presently do these things with the goal of voting in mind, not that it can't do these things.
One benefit of blockchain is allowing extreme accountability, which seems to be a greater and greater requirement of democracy with large populations.
You get less accountability with a blockchain (or any digital voting) system as those systems are much harder to audit and have many more flaws than paper voting.
> A public blockchain is a mere write only database
Precisely. It does nothing to address who can write to it. Ideally, it should be people who are eligible to vote (citizens of the country that are over 18 years old). That's a difficult problem to solve even with paper ballots (especially in a country that doesn't have national IDs), and pretty much impossible to solve with any sort of a digital solution.
> ...that everyone can see.
...or nobody can, as you'd see by reading the article that was submitted.
> Every transaction is available to 7 billion people.
7 billion people can see how to vote as well. You're not asking 7 billion people to vote, but a small subset of 7 billion people.
I'm not exactly sure what type of evidence you are looking for with respect to the assertion that auditing a paper ballot system is easier than auditing a electronic voting system. Auditing a paper ballot system is trivial: any person who can see and can count can do it. On the other hand, if you are relying on a software system you need to audit the hardware, the software, etc, etc which requires a lot of skill and is tricky.
"But how secure and accurate was the 2018 vote? It’s impossible to tell because the state and the company aren’t sharing the basic information experts say is necessary to properly evaluate whether the blockchain voting pilot was actually a resounding success"
Not impossible to tell. If you do a 100% poll of a given county and ask for statistics afterwards, you have an impromptu security analysis.
How would you conduct a similar audit of how secure a paper ballot is for any given system? If all you do is an audit of a single vote, then you're no different.
Until paper ballots can no longer be dumped in the trash, paper auditing is hard at best.
I think the use case that blockchain potentially provides is an electronic version of a paper ledger.
With a database, you require a persistent connection to the database to have integrity. With a blockchain solution, you can build meshes of local connectivity that sync up.
I'm not a specialist in the area, and I don't think that blockchain is an end-all, be-all. But it does potentially add value.
> With a database, you require a persistent connection to the database to have integrity. With a blockchain solution, you can build meshes of local connectivity that sync up.
Nothing about what you described requires a block chain, dump the database to raw SQL and GPG sign it, distribute on your website. It's not like the information ever changes once the vote is done.
Nobody suggesting this as a solution is an expert either.
That may well be a great way to solve the problem.
I'm not saying that blockchain is the answer, just that blockchain is one potential answer, and may have attributes that makes it subjectively better for this use case.
In my state, counties and some cities administer elections, and may semi-independently make product and process selections. There are definitely blockchain-based solutions intended to allow affiliated, independent entities to productively interact. That capability may be of interest to policy folks.
I'm always confused how I can apply for a mortgage / loan (aka a legally binding financial contract) online with just some details like my name + social security number, but this method of identification seems to not be acceptable when discussing voting?
Passwords are still the norm for online authentication, despite providing terrible user-hostile security. The US social security number is used both as an identifier, and as a static never-changing password.
I'm not familiar with the problems OP is referring to, but from my reading, most issues, in both security and methodology, have revolved around implementation.
The federal government should issue a nationally recognized identity card to every person which contains a digital certificate around which anyone (especially government services) can build their authentication & authorization systems.
1. Identification is not needed, only presenting a token, everyone gets exactly one token during the occasional registration. If you lose a token, you can get another one, deactivating the last ones.
2. There should not be any proof of work. Really, PoW is one of the worst things to secure a blockchain. In fact, you don’t need a blockchain. You just need a Merkle Tree. Blockchains are about ordering of transactions - the order here is irrelevant! (see caveat below)
3. How can you be sure every vote is counted in ANY system? As long as you can communicate your vote to a network, the gossip protocol takes care of it. Everyone gossips every vote to their neighbors, so just send it to a few nodes. Again - NO BLOCKCHAIN.
4. For each election, you fork a token to use. Then you simply participate in token mixers, like Monero rings. Put all your derived tokens into a hat, then each takes a token and uses it to cast a vote.
You may be wondering, what if someone votes with an “old” token version that hasn’t been mixed. First of all, we can require mixing. And secondly, they cryptographically signed over their token to someone else so when that someone votes with that token, it will override your vote for that token. Since they present your signature in the token history, that you signed it over.
This also allows us to have forms of democracy where you sign over tokens to other people for a timestamp range of, say, the next 1-2 years, to make decisions on your behalf. Better than representative democracy. More like a giant parliamentary system. You may pick a science expert to vote for scientific bills, and a criminal justice reform activist to vote for criminal justice bills.
We can get to near total participation in the democracy this way.
Caveat: although honest validators in each district can construct an eventually consistent Merkle tree by simply finding all validly signed tokens, ordering them lexicographically, and signing them, we DO need a “cutoff” time that they stop accepting offers. This is a Buridan’s ass problem, and it gets even hairier in a Byzantine Generals setting. We need to know that no one submitted a vote after the cutoff time. Thus, we need a two phase commit — each node has to gossip the cutoff time and other nodes have to acknowledge a widely gossipped message or get kicked out of the consensus. There are always edge cases to this — see Ripple’s consensus process for instance — and theoretically in very unlikely cases a “fork” can propagate to the population at large, one person thinking a vote was cast before the cutoff and the other thinking the vote was cast after the cutoff. But unless that handful of votes determines the entire election, that won’t matter. And frankly the same thing can happen even more with current systems.
What little has been described offers plenty of attack surface. The white paper has this to say about how paper copies of votes are printed out:
> When the polls close, members of each county clerk’s staff insert two cryptographically secure thumb drives into the vendor’s administrative portal laptop. Once the two thumb drives are verified, votes on the blockchain are automatically assembled as PDF files for each county. The Secretary of State’s office sends each county one PDF file containing all the marked ballots submitted by voters of that county. The clerk’s staff prints the ballots on cardstock with a ballot printer capable of printing up to 20” two-sided ballots (see Fig. 4). Each printed ballot contains the anonymous ID of the voter (see highlight in Fig. 5). Tabulation and the consolidation of results is done automatically by scanning the paper ballot into the precinct tabulator of the primary voting system (see Fig. 6).
How do the clerks get these thumb drives? What's the protocol for storage until used? Who has access to them? What physical security features do the drives implement?
If I were going to attack this system, the thumb drives seem like a juicy target with plenty of social engineering opportunities.
My polling station is less than 200m away. I have never waited more than two minutes to vote. All voting is with a pen on a paper ballot.
Once the precinct closes, you are allowed to stay and observe the counting. Because each polling place serves only a couple hundred voters, it is easy to follow the counting. As long as it is possible to do so without interfering, everyone can observe so closely they can read the actual ballots and verify that they are sorted into the correct piles. You can then watch the counting of those piles close enough to verify the count.
Later, you can go online and look up the row for your precinct in a spreadsheet.
This is end-to-end verifiability, and it is neither expensive nor unable to scale: A national election in Germany will see about 40 million voters.
What's most important: Unlike blockchain or any other online voting scheme, the whole process is easily understandable by everyone.
In times were every institution is suspected to be corrupt, being merely safe is not enough. It needs to be safe in a way that does not rely on experts in cryptography to say so.
I have seen only one valid objection to using this process in the US: It is far more common there to have elections with dozens of individual races and ballot issues. Germany usually has just two individual questions to be voted on, and maybe five when local and national races fall on the same day. Considering this, it would still be possible to use the process for the top X races on a given election day.
Are you suggesting a way to verify your vote was counted correctly is needed? Wouldn't that provide the ability for folks to sell their vote by being able to show someone else?
There are some ways to do this on paper ballots! They aren't foolproof, but provide optional verification of votes without relying on electronic voting.
Without proof that you voted a certain way, people are unlikely to pay you.
That's why some states don't allow you to take a picture of a ballot that you filled out. They're trying to prevent you from confirming that you voted a certain way.
That's not really scalable though. A few people might be able to get away with those schemes, but a few people generally isn't enough to swing an election.
>First, why shouldn't I be allowed to sell or trade my vote?
It's not about you selling your vote, it's about coercion. If your vote is verifiable, then you can be threatened with bodily harm for not voting a certain way, and/or for failing to verify that you voted a certain way.
Your freedom to sell your vote is worth less than someone's freedom to vote free of intimidation or threat of violence.
I lived in Oregon--which has had exclusively vote by mail for decades--for a while and never heard anyone bring up vote selling as a risk to election integrity. No one (journalists, legislators, etc) ever claimed it was happening.
The state republican party still makes occasional claims of voter fraud, but those are exceedingly rare -- something like 54 ballots out of 4 million in the 2016 election cycle -- and they mostly come down to people voting in Oregon and in another state at the same time.
The only reported case of election fraud I can remember was in 2016 and done by a republican, in which she tossed out a bunch of democratic voter ballots. That's it.
For two decades of elections, Oregon hasn't had a problem with election integrity. They do, however, have a consistently high turnout, which they attribute to vote-by-mail.
Oregon has a scheme to allow you to replace your mailed in ballot is why.
And this is a real issue, vote buying and cohersion has historically been the most common voter fraud mechanism in the US. It's a major part of how the Boss Tweed and his associates ran New York.
In the two states with vote-by-mail I've lived in, you can always hand-submit a paper ballot that takes precedence over your mailed one. The only way someone could be sure you voted one particular way is to monitor your actions for 100% of the time after you mailed the ballot.
This is less ideal than voting in person for everyone, as it still has failure cases like sufficiently abusive relationships. But it's an overall improvement over the previous system. Significantly more of the population votes in practice, making the vote a better measure of the ever-nebulous "will of the people".
Yes, multiple times for multiple different candidates because there is no way to prove who you voted for. There is a reason nobody does this in practice.
Please explain? It's not currently technically possible to provide proof that you voted for a specific person and thus making it impossible to buy votes.
The fact that you cannot personally verify whether your vote gets counted is a feature, not a bug.
> How can I ever check if my vote was counted by paper ballots?
You can watch if you want, or even be a part of the counting. IIRC most paper ballot schemes have the counting be public in some form or another, so that opposing factions can call each other out if someone is cheating in some way.
To a degree you have to put your trust in the system and build enough checks in so that no one part of it can be corrupted. The issue with electronic voting is that it's easy to scale attacks.
With a paper-based solution, you (or your organization) can also count the votes yourself. With the added advantage that it's harder to manipulate, less prone to failure, and easier for non-technical people to understand.
Multiple people can't get access to the paper documents at the same time. And when they do get access there's no guarantee that they are getting the actual papers that citizens submitted. Even if you got citizens to individually sign each one with their private key and write the signature on the paper, you still couldn't prove that votes weren't removed
It doesn't involve all the interested parties and there's no way it could. That's what I'm trying to say. Maybe it's feasible for one watchdog organization to audit one polling station using your method. But it's not possible for every citizen to independently audit every polling station across the country, like you would be able to with the blockchain approach.
A number of end-to-end verifiable voting systems have been proposed and fielded! See [0].
The key issue they try to solve is how to let you check your vote was counted without being able to prove who you voted for to anyone else, thus preventing coercion attacks.
Most of them rely on paper, but some [1], provide reasonable guarantees about online voting.
Counting in public is the solution. You can attend the count yourself, or you can trust that the loser of the election will have people there to challenge any questionable moves made in the counting process.
Using a blockchain cannot (ever) tell you if your vote was counted.
Blockchains for election administration are a digital form of physical chain of custody. Like when you move boxes between locations.
You're thinking of crypto voting schemes. None of which have proven feasible in the wild.
The Australian ballot form of election administration means private voting, public counting. For example, dropping your ballot into a box at a poll site.
Any process enabling any kind of post mortem verification is more akin to accounting, eg open ledger with credits and debts. That's the opposite of a secret ballot.
> "Using a blockchain cannot (ever) tell you if your vote was counted."
What.
By voting you commit a change to the blockchain. The system should report back your "commit hash". Said hash is public (as is the entire blockchain), guaranteed to be unique, and counts towards the overall balance.
In contrast - a paper ballot can disappear. Your vote can be manipulated. All without any trace.
It's hard to directly compare the attack surface area of various systems. And yes, ballots have been disappeared, injected, etc. One of the prerequisites of Australian ballot election administration is having sufficient observers. But the same is true of any "trustworthy" process.
Having studied this stuff for over a decade (now inactive), I believe, but cannot definitively prove that paper ballots cast at poll sites is the most robust against attack. FWIW, the election integrity community concurs.
Security research and knowledge has progressed a lot in the last decade. It'd probably be worthwhile to circle back and apply the state of the art to this domain.
(Alas, saving democracy doesn't pay very well, so it's unlikely that it'll be me doing the work this time around.)
> "I believe, but cannot definitively prove that paper ballots cast at poll sites is the most robust against attack"
Here's how a Blockchain voting system can work:
1. Person casts vote using a voting machine.
2. Voting machine commits a change to a publicly available blockchain. The commit includes metadata such as the actual choice you made. It can optionally include even more metadata, such as "place of vote", "timestamp", "gender", "age".
3. Your vote has been cast, and the blockchain has been been modified.
4. The voting machine prints a "receipt". Your receipt includes a "commit hash". You can use the hash to see, identify and verify your record has been registered with the blockchain. So can everyone else.
5. When the voting is done - a simple python scripts traverses the blockchain - counting how many votes were given to each candidate.
This design ensures transparency and security. No compromises. You as an individual can know for a fact that your vote has been cast, and has been counted. As a society, we can finally verify and make sure our elections were fair game.
Our current system is the Australian ballot. Private voting, public counting. It's a battle hardened, field tested design which best balances the needs of society with the needs of the individual.
Some future system may find a new balance. Perhaps that new system no longer demands a secret ballot. Because the risks changed. (Note that some jurisdictions require a secret ballot, so YMMV.)
So if you want to supplant the Australian ballot with a different system, please start there. Explain the context, assumptions, risks, tradeoffs.
Because piecemeal changes to our existing system, without regard for the whole, has caused a mountain of heartache.
FWIW, I've been pondering "temporary privacy". Perhaps an embargo on all the election data for the critical time span. A friend of mine proposed (draft legislation) making all of the materials and documents available after an election is certified. For post mortem inspection. So you could feed all the ballot images into your own tabulator software. Or do your own signature comparisons. A huge change, because right now election data will be destroyed after certification (exactly when is per jurisdiction).
The problem, I think, is that you couldn't prove votes weren't _added_, unless there's some smart way to solve this problem. Obviously you couldn't inject too many votes or the total would seem suspicious. But considering US election turnout varies you could probably get away with a few percent, which could easily swing a close election.
Common solution with existing precinct tabulators: each voter is issued both an anonymous ballot and a permit with identifying information. After marking the ballot, the ballot is inserted into the tabulator and the permit is retained in a file with the tabulator. At the end of each day, the number of votes recorded by the tabulator should match the number of permits, which contain the identifying information and so can be audited against the pollbooks.
This same model can be extended to the blockchain approach, but isn't using a blockchain to solve the ballot-stuffing problem - just using a conventional paper technique.
Not in the system they used, it was private. As has been noted elsewhere, it would be trivial to have the majority of peers could be under nefarious control
I fill out the paper ballot, so no matter what I've voted. It is really clear how to use the system, and I'm not waiting on technology no matter what happens next.
Then I roll it into the machine itself and it goes into a locked box attached to the machine.
There is always a paper record.
The machines and votes are tied together so auditing is straightforward.
It really seems like it would be hard to have a system that is "better".
It's all the security of physical ballots, with the speed of electronic, and very specific / targeted auditing ability that benefits both the electronic and physical domains.
FWIW, learning about this stuff completely burst all my preconceptions.
Even as a geek utterly opposed to most all use of computers for tabulation, I came to believe the biggest threat to election integrity is change. We just have to stop shaking the ant farm every few years. Whatever changes are warranted, they need to be slow, deliberate, methodical. Because it all really comes down to the people (admins, voters, candidates, observers, etc), their domain knowledge, expectations, and experience.
As Alistair Cockburn wrote, good people can make even bad processes workable.
> It isn't even a solution in search of a problem it's a problem in search of a place to explode.
I won't knock blockchain completely, because I don't believe I'm smart enough to, and it likely has many useful applications, but I feel like half the time I hear about blockchain, this quote is applicable.
1. like paper money, anonymous - my vote should be secret.
2. Hard to do large scale fraud or manipulation - not being efficient or automatable is a feature guys...
3. Physically going to the polls, voting in public, yet private at the end really makes it hard to put pressure on people to vote one way or another. Compare that to voting electronically at home or in church or at work....
3b. You can spoil paper ballots during in-person voting, which means a photograph of your ballot is insufficient proof that you actually cast that particular ballot.
This is a solution to the problem of more pork for vendors.
Any one wanting to understand why any of these changes occurs will be illuminated by better understanding the business models of the vendors and the appropriations (budgets) of the jurisdictions.
During the HAVA bonanza, which brought us the touchscreens, vendors envied high tech valuations, so repackaged themselves as product companies.
When that fad went bust (market saturation), vendors repackaged themselves as service companies. With a big difference from their prior incarnation. Changing from time & materials to charging a fee for every task for every voter every election.
Before, you'd buy ballots for expected turnout plus 10%.
Now, (with vote-by-mail) you buy the whole ballot packet, for every voter every election.
Before, you'd pay 10 cents for every voter signature verified.
Now, you pay for signature verification services for every voter every election.
It's astonishing how each and every step of the process has been monetized (rent seeking).
--
Huh. It just now occurs to me there's probably a better way to summarize the business practices of the vendors:
Just imagine what IT vendors like Oracle do to maximize revenue applied to election administration.
Many people can't afford to take the day off for voting. And even mail ballots are allowed, making the process easier would encourage more participation. Is this not a problem worth solving?
Sure, but can't that be solved for most people by holding elections on a Sunday and keeping the polls open from 08:00 to 20:00? That way it is only a small percentage who are unable to vote.
Sweden has this plus early voting and we have between 85% and 90% participation in our elections. The early voting of course make it easier to manipulate votes.
That's not actually possible in the sense that declaring a day a holiday doesn't actually prevent employers from giving people shifts. If anything, restaurants and stores actually retain more staff during holidays. The only people a holiday would affect would be people working high end jobs that probably wouldn't have issues voting anyways.
Vote by mail and extended voting hours are much more effective solutions for people who otherwise couldn't find the time to vote.
Fine, bring out the heavy law-making artillery then. Make it mandatory to give staff time off to go voting with heavy penalties for non-compliance and some kind of nice carrot for compliance.
Doesn't work either. In some districts, one candidate got more votes than actual ballots because some were 'accidentally scanned more than once.' In those situations, since the counts are off, the original vote stands.
So, just make sure you throw out all your extra ballots and you're fine.
Why simply deride electronic voting as a solution in search a problem? There are many problems it solves.
1. How about low voter turnout, so elections aren’t representative of what the people want. An app would increase voter turnout by a lot, especially the younger vote.
3. How about being able to count elections in time to call them, instead of things where Bush gets elected because some guys ran out of time, and then it turns put Gore would have won?
Aren’t these important enough problems for a democracy to solve?
Instead of simply downvoting, why not actually address what I am saying! I am going to go point by point.
Sure, absentee ballots are a thing, but guess what. People like apps. If it’s secure enough for everyone’s banking needs, why not for a vote?
You can make the same argument about money — that banking apps are a honeypot for thieves etc. And yet we have made banking apps so so secure that you’d use them to move thousands of dollars.
If everyone voted from their phone, it could be anonymous and cryptographically secure. And a Merkle tree would record all results.
What is the issue? Every problem you point out with electronics can be done with paper ballots, too.
The interface can lie to you? Has been done with butterfly ballots and others.
The vote counting process is rigged? Have different groups audit the process.
In fact, having cryptographically secure receipts makes it extra easy and fast to verify votes. Al Gore would have won, because they wouldn’t have has to take so much time for a recount:
Erm sorry. The solution. Token mixing. You get one token per person, but then they go through a cryptographically securd mixer before being used to sign your vote. Kind of like with Monero rings.
5. Accountability
How can we prove the votes happened the way you wanted them to?
Well, YOU still have your token on YOUR phone (no one else does) so your app can audit the Merkle tree.
Zero-Knowledge Proofs would be overkill here because proving how you voted to someone else is important (See #3, above). In addition, ZK proofs are a bit ivory-tower idealistic since most people don’t have the knowhow to “produce a fake alternative vote”.
The Merkle Tree can consist of smaller branches, one for each district. The results can be tallied in near real time, and verified by anyone. Results would be known in real-time.
6. But realtime reporting will affect voters!
Yes, and it currently already does, with Ohio, Michigan, and so on. The current system makes some states way more important than others:
Why not require all states to have primaries at the same time and not reveal the results til the end? This is a political, not technological, solution.
The only one major problem I see with electronic voting is #3, the trusted computing base. I listed the main solution above, but I am sure there will be many improvements on it.
- Voting in private on a phone app. The opportunity for coercion is huge. The brilliant thing about putting a cross on paper in a booth on your own and dropping into a box, is no-one knows how you voted - so no comeback.
- Anything in software has the opportunity for a large scale attack. The incentive for doing such attacks is large. Look at all the energy put into gerrymandering etc today - Why risk it?
- the ability to do a sensible audit is beyond most people - auditing a pile of paper is easy - anyone can participate. Software you'd need to trust a small priesthood - that's not democracy, and it's totally dangerous ( forget algorithms, the weak points are people ).
I'd also question your premise that low voter turn out is largely due to inconvenience. Sure for some, but I'd argue lack of participation is largely riven by other factors - like nobody worth voting for....
Finally paper system is easily adaptable - want a box for write ins? Move to single transferable vote? Just print different paper and people doing the counting can adjust - no software re-writes.
- Voting in private on a phone app. The opportunity for coercion is huge. The brilliant thing about putting a cross on paper in a booth on your own and dropping into a box, is no-one knows how you voted - so no comeback.
How is that true, when I just posted that voter database have been leaked
I assume the voting history is only if they voted or not, which is sensitive for sure, but not that vital since with paper ballots you can put in an invalid vote or a vote for another candidate if coerced and there would be no way to check what you voted. With an app it would be possible to force people to prove what they voted for.
I don’t understand how being able to prove who you voted for is going to lead to more negative than positive. Can you walk me through how, realistically, a large scale voter coersion operation would even work?
If you know how a district voted, why not coerce the entire district? After all, if you have access to unlimited coersion powers, you’d be wasting them on a couple individuals.
I say if someone has the power to coerce others to that extent, we have bigger problems in our democracy. They can, for example, coerce members of the opposing party to stay home and not vote.
All it means people know that you voted. Party registration isn't destiny. Maryland has a ton of registered Democrats but Republican Governor Larry Hogan is pretty popular there. West Virginia has a lot of ancestral Democrats, but it's a far cry from being competitive at the presidential level, though Democratic Senator Joe Manchin manages to survive.
Well you can simply outlaw/fine the kind of threats or rewards that you mentioned. And before you ask how one would prove it, it is more provable than sexual harassment or advancement for sexual favors, since it involves proof.
Outlawing that sort of behavior isn’t mutually exclusive of building sensible election systems that maintain ballot secrecy. It’s really unclear what you’re arguing for when you keep jumping around various aspects of elections (and sexual harassment?) in a totally incoherent manner.
You'd get better rates buying this information directly from the state.
The most additional information you can glean from this is what primary a person voted in anyways. These are just participation history and registration information. Do explain how I can figure out which candidate someone voted for in the general from this information?
Only two things have been proven to increase voter participation (in the USA):
Peer pressure, culture of voting (your neighbors noticing they didn't see you at the poll site).
Competitive races.
On the flip, there are many things which counteract vote suppression:
Universal, automatic voter registration (just like all other mature democracies).
Reenfranchise felons.
Fair redistricting.
Adequate funding for election administration.
--
I've not seen any data suggesting that digital voting schemes have or may boost voter participation. And there's numerous cases where such systems disenfranchised voters.
> 1. How about low voter turnout, so elections aren’t representative of what the people want. An app would increase voter turnout by a lot, especially the younger vote.
> 2. How about letting less mobile people to vote. Or people who are not able to take off work that day.
Paper mail-in ballots are a well-established way to accomplish this, though they do have their own risks---specifically vote-buying and coercion. My county in California also allows curbside voting by appointment, which is pretty great for elderly voters.
>3. How about being able to count elections in time to call them, instead of things where Bush gets elected because some guys ran out of time, and then it turns put Gore would have won?
This is already a solved problem with precinct-counted optical scanned ballots.
I highly recommend you volunteer to be a poll worker the next time there's an election in your state. You'll learn a lot about the real problems on the ground. For example, in my precinct during the 2018 midterms, we encountered an issue with the voter rolls: the city had recently renamed a street but a lot of people's registrations still reflected the previous name, which slowed things down significantly.
well here is the rub, paper ballots are useless unless you can prove who is voting and yet we have nearly the same people yelling about how unfair it is to require people to prove who they are to vote.
you cannot have one without the other if your intent is to protect the system and to be honest you only need paper ballots as a receipt to allow verification in case of suspected interference. we have already seen that some paper ballot designs are more prone to fraud than others.
> Voatz’s website states that “a paper ballot is generated on election night” and is tallied “using the standard counting process at each participating county.” What that means is the voter’s vote is sent to the county clerk staff as a PDF, and the county clerk staff prints it out and puts it into the scanning tabulator.
?So at some point your vote is printed out on a paper, and scanned? Doesn't seem all that anonymous, for one thing.
An anonymous id is attached to the pdf. Not the users specific name/information.
"The county clerks were able to conduct a pre-tabulation audit (unprecedented in US election history) by comparing anonymized copies of the voter verified digital receipts with the marked paper ballots prior to feeding the paper ballots into the scanners for seamless tabulation alongside the primary voting system."
Thanks. I don't get the anonimization. I live in a town of 5000, and I wonder how many overseas ballots the Town Clerk sees. Total speculation on my part, but it would not surprise me if it was 1.
Blockchain is a buzzword, but we've already had strong cryptographic protocols for voting that predate Satoshi.
We've known for decades how to conduct elections where every vote is provably counted, any individual vote is completely anonymous, and the identity of every voter participant is provable (i.e. preventing ballot stuffing).
1. Every vote further secures the blockchain voting process. The only way to overcome this is with a 51% attack, so every vote cast further ensures the validity of the entire chain.
2. The chain can be public and anonymous, which gives every voter a verifiable way of understanding their vote. They can look and ensure that their vote was cast exactly as they intended, but it also allows administrators a way to review the votes.
The core part that the article got wrong was that county administrators have a definite way of pre-tabulating as well as tabulating votes.
David Gerard, a prominent blockchain skeptic who generally does his homework well, writes that Voatz is "running Hyperledger on four nodes [...] it’s just a single-user clustered database". [1]
Yes, this. Voatz is holding a lot of power here and I can only imagine how well their solution is implemented. Do state or local governments even understand what they do?
If the blockchain is published can't people check 1) that the votes add up to the correct totals and 2) that their vote is reflected in the blockchain?
A blockchain (at least one used like this) is not the right tool here.
Really, all you need is some sort of publicly-defined machine-readable representation of your vote that gets a digital signature locally on your device. You have an open-source app that can sign the vote payload. Then you send the signed payload to the server where it gets added to a plaintext repository.
At this point it would be good to use a signed chain (like git for example) and at this point you "commit" your vote with a timestamp and send the result back to the client. (Commit hash and timestamp.)
Then later, you could just look for the commit sha and timestamp. Of course this means anyone with access to your signature can see who you voted for. Which is a general shortcoming of signature-chain systems.
Another way of doing it might be to have two different blockchains. One has signatures + votes and the other has only the signatures. The one with only the signatures is publicly posted, and the one with signatures + votes is privately audited. The trouble is deciding whether you value anonymity or integrity more.
Of course, in this case it's not clear what the people involved value, since the blockchain is private and just a database that anyone can recreate from scratch at any time.
You could check that the vote adds up, but you cannot check that the vote are correct.
Since Voatz is basically a private blockchain, there is no way to check that the blockchain was tampered with, or even saved the correct votes, before the it has been made public (which will be after the vote).
The only way would be to have a mechanism for people to check if there vote was correctly saved at any point. And this is a very big problem, has having a way to know who vote for who in a democracy is a very very very big no no.
The initial point of a blockchain was to provide a mechanism for consensus in a system with multiple parties that lack trust for each other and with no Central arbiter.
Can we access this blockchain to view the votes? No? Then it's opaque to us. It's a private blockchain.
Well you can't really know even if you go and submit a paper ballot. If you could verify your vote, you could sell it. I don't know if that's still a realistic scenario these days when Tammany Hall isn't literally beating people for votes, but it's a reason why you can't tie a vote to yourself individually.
You should check out Threeballot for a simple counterexample. The idea is that you xor together 3 ballots when you vote, but one of the three ballots is published. You have a 1/3 chance of catching manipulation.
"But how secure and accurate was the 2018 vote? It’s impossible to tell because the state and the company aren’t sharing the basic information experts say is necessary to properly evaluate whether the blockchain voting pilot was actually a resounding success."
This seems so preposterous I have a hard time believing the story is being reported correctly. The state or Voatz are apparently unwilling to prove their system is secure. What are they going to do if someone disputes the results of the election?
Transparency/verifiability seems like almost the only half-way decent reason to use a blockchain for voting. And then they do it using a closed source undocumented proprietary blockchain.
Until your boss fires you for not voting to the company line, of course not officially. Having a verifiable can turn into a double edged sword for many reasons.
